Crist Clark wrote:
> Tired of looking at the log messages warning me that inline-signing
> will be the default in 9.20. I want to convert my 9.18 to using
> inline-signing. Right now all of the zones use dnssec-policy and are
> dynamic.
My experience was that it was best to do bu
Ondřej Surý wrote:
>> dig +short +nsid version.bind. txt ch @dns4.p08.nsone.net
> This needs to be this: ^^^
p> You missed @ and thus you asked your local resolver.
Yes, you are right. Bad on me
I actually have a script that does this, but I transcribed it for posting.
I get:
obiwan-
Rob McEwen via bind-users wrote:
> I strongly suspect that this was caused (even if indirectly?) by the
MASSIVE
> and many-hours-long power outages in Europe, mainly in Spain and
> Portugal. That started on April 28, 2025, at approximately 6:33 a.m.
Eastern
> Time (ET) - and the
_.,-*~'`^`'~*-,._.,-*~'`^`'~*-,
> Vincent S. Cojot, Computer Engineering. STEP project.
_.,-*~'`^`'~*-,._.,-*~
> Ecole Polytechnique de Montreal, Comite Micro-Informatique.
_.,-*~'`^`'~*-,.
Bonjour!
Elbows Up.
--
Michael Richardson. o O ( IPv6 IøT c
Brett Delmage via bind-users wrote:
> Specifically for me now that's the query log including the flags. But it
> could be other log files too at times. I am running DNSSEC and primary,
> secondary, and internal resolving servers so many logs are of interest at
> different times.
I
There is also https://www.rfc-editor.org/info/rfc9632.
This document specifies how to augment the Routing Policy Specification
Language (RPSL) inetnum: class to refer specifically to geofeed
comma-separated values (CSV) data files and describes an optional scheme that
uses the Resource Pub
If it doesn't work without docker, then it probably won't work with Docker.
Probably all the clue you need is in the log files. Did you read them?
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works
1. I assume example.com is signed.
2. I don't understand why you can't just remove the NS records and fold the
foo.bar.example.com data in.
3. After some interval of TTL, you can delete the DS records.
If bar.example.com is served by the same server (I assume not: because if it
was, why would
Bowie Bailey via bind-users wrote:
> The first issue is that my server uses a few views to give different IPs
> based on which network the request comes from. I found that if I point
the
> zones in the different views to the same key directory, there are no
errors
> and all vie
Mark Andrews wrote:
> Named and nsupdate validate input for types they know about (both text
> and wire). You would have to use versions that are not HTTPS aware and
> use unknown type format.
So, he could code it in Perl or Python or something which had a dynamic DNS
library. Bind
Matthijs Mekking wrote:
> As the main developer of dnssec-policy, I would like to confirm that
> what has been said by Michael and Nick are correct.
Cool.
> - When migrating to dnssec-policy, make sure the configuration matches
> your existing keys.
Is there a way to validate t
Greg Choules via bind-users wrote:
> What would be better (IMHO) is for you to keep "example.com" as your
> external zone in an external (hopefully in a DMZ) primary server,
> serving the world with public addresses they need to reach, and
> internally create a new zone - "interna
Given VPNs, RemoteAccess and the like, I strongly recommend against split-DNS
configurations. They were great ideas in 1993, when all sites were concave,
but that's just not the case anymore.
Instead, I recommend having a sub-zone, "internal.example.com", or some other
convenient name. Put a zo
lves the problem if interactive. Cron running a week
later usually works)
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works| network architect [
] m...@sandelman.ca http://www.sandelman.ca/
In general, you don't want to mix dynamic update zones with ones that you
want to edit by hand. I see that you are doing manual DNSSEC signing in your
cron job.
Your choices are:
a) do everything with dynamic update, and turn on automatic DNSSEC management
in bind9.
b) do your DNSSEC signing
Silva Carlos wrote:
> On server A I configured HyperLocal. On Server B I did NOT configure
> HyperLocal.
> I ran the command "dig @localhost EXAMPLES" on both servers.
> EXAMPLES: blabla.sdf.dd or teste.com.eroterrter or world.nanana
> Problem: Both Servers report that "Quer
Mark Andrews wrote:
> where wrong and wouldn’t normally be that way. Something or someone
> changed them. It may have happened again. We can’t see what you see
And, AppArmor can turn things into permission denied, which are rather
mysterious. So, I'd ask for dmesg output too.
sign
m...@at.encryp.ch wrote:
> Regarding the usage of [::] - due to usage of firewall I am able to
> block connections to the 53/udp and 53/tcp which are not coming to
> specific IP addresses or ranges, I do not need such filtering
> functionality within bind itself.
Bind doesn't list
Serg via bind-users wrote:
> As an alternative approach I have tried to run with a configuration
> "listen-on-v6 { any; }", but it does behave in a way I need - it binds
> separate socket for each discovered IP address rather wildcard address
> of [::].
Bind needs to bind a new s
Mike Lieberman wrote:
> The newer router blocks my local BIND servers (ONLY not clients using
> downstream servers) from receiving anything from the Internet. OUR BIND
> servers still have the local networks, but nothing else.
Your explanation is rather obtuse, but I think you mean t
Can you share a bit about why you want to get out of using
opendnssec/openhsm?
I would regard this as an opportunity to test key rollover with your parent
zone :-)
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works
John Thurston wrote:
> On a resolver running ISC BIND 9.16.36 with "dnssec-validation auto;" I am
> writing "category dnssec" to a log file at "severity info;" When I look
in
> the resulting log file, I'm guessing that lines like this:
> validating com/SOA: got insecure respon
E R wrote:
> I am planning on implementing the current version of BIND to replace the
> aging, undocumented authoritative servers I inherited. I want to hide the
> primary server on our internal network and have two secondary servers be
> publicly available. While reading the DN
Havard Eidnes via bind-users wrote:
>To "fill" an ip6.arpa zone for a /64 requires 18446744073709551616
> records (yes, that's about 18 x 10^18 if my math isn't off). I predict
> you do not posess a machine capable of running BIND with that many
> records loaded -- I know we
Philip Prindeville wrote:
> What do I need to do on both ends (remote DHCP server and central DNS
> server) to push updates over?
Your list is pretty accurate.
One thing that bites me regularly is that names of the TSIG keys matters, and
that if you have a trailing . in the key name, it
I found this message:
May 8 16:41:18 tilapia named[1268]: zone ox.org/IN:
zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk
It would be great if it could tell me the file name that failed to write, and
ideally what the error was (EPERM is my guess, but there could also be
and I don't have a CDS published.
So what happened? I shall troll my logs and see what else I can find out,
but there sure is a lot of stuff going on. Maybe lots of flotsam from my
previous situation that needs to expunged.
--
] Never tell me the odds!
Mark Andrews wrote:
> Unless you are pointing recursive clients directly at your
> authoritative servers there is no need. The recursive servers will
> lookup the CNAME target themselves. Additionally recursive servers just
> process the CNAME and ignore the rest of the response
I upgraded to 9.18 from 9.11 or something that was in debian nulleye.
Mar 11 18:14:27 tilapia named[9206]: /etc/bind/named.conf.options:40: invalid
prefix, bits [64..71] must be zero
Alas, line 40 has multiple IPv6 prefixes on it:
40 dns64 2607:f0b0:f:0:::/96 {
41 clients {
29 matches
Mail list logo
